Security expert highlights the need for more useful penetration tests

Dave Kennedy, a prominent security expert and writer, gave a presentation at a specialist security conference where he argued that the standard penetration test is offering less value to the client than it could.
Spread the Word
Listed Under

* Penetration Testing
* Computer Security
* Ethical Hacking

* Security

* Leith - Edinburgh - Scotland

April 4, 2012 - PRLog -- At the InfoSec World Conference 2012 in Orlando, Florida, USA (April 2-4), Dave Kennedy, a globally prominent information security expert and writer, gave a presentation on the need for more effective and useful penetration testing.  Kennedy, the author of “Metasploit: The penetration tester’s guide” and developer of the “Social Engineering Toolkit”, is currently Vice-President and CSO of global risk and security at Diebold Inc. in the USA. He highlighted areas where current tendencies in penetration testing were failing to deliver what businesses require in order to safeguard not only their computer systems but, more fundamentally, also their vital business assets.

Kennedy noted that penetration testing should not be exclusively focused on vulnerability scanning. He pointed to the fallacy of treating the choice of penetration test type as a purely cost-based decision. This approach will always favour the cheaper path of automated vulnerability scans over the more expensive, but also vastly more thorough strategy of a full manual penetration test undertaken by a specialist.  Kennedy remarked on the fact that an automated scan may produce a voluminous report, but this does not necessarily offer much useful information to the business, in terms of what needs to be done to address the core underlying issues:  for that, a human specialist is required.  

This point is endorsed by Briony Williams, a security consultant at commissum (see, an Edinburgh, UK-based information security consultancy.  As she points out, “Automated vulnerability scans have an important place as part of a full penetration test, but on their own these scans are unable to simulate what a malicious attacker would be able to do to an organisation’s systems.”  As Kennedy remarked, “You need to learn what your company has systemic issues with and how long the tester could exfiltrate data out of the company.”

This point is likewise seconded by Briony Williams of commissum, who remarks “The danger is that many companies who commission vulnerability scans may be lulled into the belief that a successful scan means their systems are secure. In reality, the scan is unable to dig down to the core issues in the way that a specialist tester can.  While many testing firms have recently appeared, those who commission security testing should ensure that the company they select has independent certification in terms of full manual penetration testing. For example, commissum is a member company of CREST (Council of Registered Ethical Security Testers), and hence is accredited as regards performing full penetration tests.  At commissum, we carry out many manual penetration tests and automated vulnerability scans, playing to the specific strengths of these two methodologies rather than attempting to use scanning as a substitute for full penetration testing.”

The debate sparked off by Dave Kennedy will no doubt continue for some time within the information security community.  However, with the growing incidence of cyber-threats to organisations of all sizes and types, it is more important than ever that those who commission security testing should be clear about the strengths and limitations of each type of test.

# # #

commissum is a European company specialising in information assurance and security services for business and government. Services include penetration testing, information assurance consultancy, information security auditing, and configuration of systems.
Source:Andrew Leith
Email:*** Email Verified
Phone:+44 845 644 3217
Zip:EH6 6LB
Tags:Penetration Testing, Computer Security, Ethical Hacking
Location:Leith - Edinburgh - Scotland
Account Phone Number Verified     Disclaimer     Report Abuse

Like PRLog?
Click to Share